IPSec VPN through ZBF

Unanswered Question
Aug 23rd, 2010

Hello All,

I am porting the config from a 1841 that had a L2L IPSec VPN setup with a Sonicwall peer. This 1841 had a CBAC firewall on it as well. We are retiring this router and moving the VPN over to a 1941 router with a Zone-based firewall. How do I set up the ZBF to allow this IPSec VPN tunnel? Can I use VTI when connecting to a non-Cisco host (Sonicwall)? Right now there are only two zones setup (inside/outside).

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Mon, 08/23/2010 - 08:03

well since you have only 2 zones it makes life much easier , you dont have to worry about permitting esp and isakmp traffic in zbf

now since you have 2 zone have the following configured for ipsec vpn

zone-pair out-in

match acl - remote end network to my end network

action inspect

zone-pair in-out

match acl - my end network to remote end network

action inspect

i would suggest use 15.0 code and later whenever you are implementing zbf it has better support for zbf

Diego Armando C... Mon, 08/23/2010 - 12:11

And not configured a self zone. If you do u will have to permit esp and udp 500 basically. You will neet to create 2 zones from Out to Self and another one from selft to Out to PASS  Esp

tjd2112pcca Tue, 08/31/2010 - 11:16

The new router has two interfaces to the internet via two different providers. Can I run CBAC and all the VPN traffic on one public interface and zone-based on the other internal client serving interface? I have read that you can mix CBAC and ZBF together.

Actions

This Discussion